Privacy Policy

This privacy policy explains how Goatee Productions Oy ("we", "us", "our") collects, uses, and protects your personal data when you use Sightaro and related services.

1. Data Controller

Goatee Productions Oy
Business ID: 2943182-4
Rastilanraitti 3 B 33, 00980 Helsinki, Finland
Contact: privacy@sightaro.com

2. Data We Collect

We collect the following categories of data:

• Account data: Email address, name, and profile information provided through Clerk authentication.
• Support data: Bug reports, feature requests, votes, and any files you upload through our support portal.
• Usage data: Pages visited, browser type, device information, and IP address collected automatically through server logs.
• Product data: License keys and product registration information associated with your account.

3. Legal Basis for Processing

We process your data based on the following legal grounds under the GDPR:

• Contract performance: Account data and product data are necessary to provide our services.
• Legitimate interest: Usage data for service improvement and security.
• Consent: Support data you voluntarily submit.

4. Data Processors

We use the following third-party services to process your data:

• Clerk — Authentication and user management. Processes account data. See Clerk's Privacy Policy.
• Convex — Database and backend services. Stores support data and product data. See Convex's Privacy Policy.
• Vercel — Hosting and deployment. Processes usage data through server logs. See Vercel's Privacy Policy.

5. Data Retention

• Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion.
• Support data: Retained for the lifetime of the service to maintain support history. Anonymized upon account deletion.
• Usage data: Server logs are retained for 90 days.
• Product data: Retained for as long as your account is active and for 12 months after deletion for license verification purposes.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your data ("right to be forgotten").
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to restriction: Request limitation of processing in certain circumstances.
• Right to object: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@sightaro.com. We will respond within 30 days.

7. International Data Transfers

Some of our data processors (Clerk, Convex, Vercel) are based in the United States. Data transfers to the US are conducted under appropriate safeguards, including the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs).

8. Cookies

We use only essential cookies required for authentication and session management through Clerk. We do not use advertising or tracking cookies.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews of our infrastructure and third-party processors.

10. Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us at privacy@sightaro.com.

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. The relevant authority for Finland is:

Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Lintulahdenkuja 4, 00530 Helsinki
tietosuoja.fi

12. Sightaro Android App

The Sightaro Android player app (package com.gigtools.sightaro) requests the permissions listed below. All processing follows the same legal bases, retention periods, and rights described elsewhere in this policy.

• Camera (CAMERA): Used only to scan QR codes during device registration. The camera feed is processed on-device; no photos or video are recorded, stored, or transmitted.
• Location (ACCESS_FINE_LOCATION, ACCESS_BACKGROUND_LOCATION): Used to trigger location-based audio playback during cruises and, optionally, to record cruise tracks. Foreground and background location capture happens only while a cruise is active. Location data is stored on the device and uploaded to our backend (Convex) only when you choose to share a recorded track. Location features are disabled by default in the alpha track and must be enabled by the operator.
• Notifications (POST_NOTIFICATIONS): Used to display a foreground service notification while GPS recording or audio playback is active, as required by Android.
• Storage (offline content): The app stores playlists, audio files, and a local SQLite database (sightaro.db) on the device for offline playback. Stored data is removed when you uninstall the app or clear app data.
• Device identifiers: The app registers a per-install device ID and license key with our backend to authenticate API requests. We do not collect advertising IDs or hardware identifiers.

The Sightaro app does not contain advertising, does not share data with third parties for advertising or analytics, and does not sell personal data.

13. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated through our website or by email. Your continued use of the service after changes constitutes acceptance of the updated policy.